Virus detected at every start up!! Help!

[Lisandro]

I have been trying to exclude the two files tripping the alarms in the resident scanner.  No success so far. That's why I am here.

For the Standard Shield provider (on-access scanning):
Left click the 'a' blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button...

For the other providers (on-demmand scanning):
Right click the 'a' blue icon, click Program Settings.
Go to Exclusions tab and click on Add button...

You can use wildcards like * and ?.
But be carefull, you should 'exclude' that many files that let your system in danger.

[DavidR]

Keyloggers can be used for good and for evil, determining which is a problem for AVs. If you are happy that there is no problem and accept the risk then exclude the file being detected.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

What are you entering in the Program Settings, Exclusions and the Standard Shield, Custonize button, Advanced sections ?
We can have a look at it and ensure the path is correct for the exclusions.

[roscojones]

Good News!
I tried the response from Tech & it did the trick for me.

I have been trying to exclude the two files tripping the alarms in the resident
scanner.  No success so far. That's why I am here.

Tech Response
For the Standard Shield provider (on-access scanning):
Left click the 'a' blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button...

For the other providers (on-demand scanning):
Right click the 'a' blue icon, click Program Settings.
Go to Exclusions tab and click on Add button...

You can use wildcards like * and ?.
But be carefull, you should 'exclude' that many files that let your system in danger.

----------------------------------------------------------------------------------
More from RJ

I did the search for false alarms & found a great post.

Go to: http://forum.avast.com/index.php?board=2;action=display;threadid=7779

"How to find out if it is a false alarm & what to do if it is".

[zzap64]

I don't believe it is a false positive.

The file is saved on my system on C:\Documents and Settings\..\rundl32.exe
File size: 4,688
File MD5: 429B5CC8C5D48CD025DC3CEAC70CBC22

Why would it be called rundl32 instead of the correct name rundll32 ?
Although it must be said on my system, a squared, ewido and spyware terminator do not pick it up or flag it as a virus/trojan.

System restore, various deletions and boot scans have not worked.
I now intend to delete the following from the registry, using the regedit command:

Scanning Registry:
  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\f C:\Documents and Settings\..\rundl32.exe
  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe\a C:\Documents and Settings\..\rundl32.exe
  HKCU\Software\vAutoDel\Loader C:\Documents and Settings\..\rundl32.exe

Would that finally remove it?
I appreciate your help guys!

[Lisandro]

I don't believe it is a false positive.
Why would it be called rundl32 instead of the correct name rundll32 ?

Really strange... this is a malware behavior indeed.

Although it must be said on my system, a squared, ewido and spyware terminator do not pick it up or flag it as a virus/trojan.

Sorry to ask again, but did you submit the file to Jotti and VirusTotal on-line scanners?

  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\f C:\Documents and Settings\..\rundl32.exe
  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe\a C:\Documents and Settings\..\rundl32.exe

These entries are innofensive... just your hdd search for the file.

  HKCU\Software\vAutoDel\Loader C:\Documents and Settings\..\rundl32.exe[/color]

I'm not so sure about this. It's strange...   

[zzap64]

I tried Jotti but file wouldn't upload - it showed as 0 bytes (which is incorrect) and was either locked or in use. I am going to try to unlock and try again.

Thanks

[zzap64]

Doh! I forgot to turn off firewall when uploading !
Sorry..
From Jotti:
File:  rundl32.exe 
Status:  INFECTED/MALWARE 
MD5  429b5cc8c5d48cd025dc3ceac70cbc22 
Packers detected:  UPX
Scanner results 
AntiVir  Found Trojan/Dldr.Small.AUI.12 
ArcaVir  Found Trojan.Downloader.Small 
Avast  Found Win32:Trojan-gen. 
AVG Antivirus  Found Downloader.Generic.WUX 
BitDefender  Found Trojan.Downloader.Small.AUI 
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found Possibly a new variant of W32/Downloader-Tir-based!Maximus 
Fortinet  Found W32/RT.AIX!tr.dldr 
Kaspersky Anti-Virus  Found Trojan-Downloader.Win32.Small.aix 
NOD32  Found nothing
Norman Virus Control  Found W32/DLoader.XPZ 
UNA  Found nothing
VirusBuster  Found nothing
VBA32  Found Downloader.Small.108 (paranoid heuristics) (probable variant) 

[DavidR]

I tried Jotti but file wouldn't upload - it showed as 0 bytes (which is incorrect) and was either locked or in use. I am going to try to unlock and try again.

Thanks

If it was detected by avast, did you sent it to the chest ?
If so it can't be uploaded to Jotti or anywhere else (usually seen in the 0 byte file size), that is the whole point of the chest to prevent access to the file. So it needs to be move out of the chest first.